Office 365 Audit for Created Group triggers for non-group creation

%3CLINGO-SUB%20id%3D%22lingo-sub-334601%22%20slang%3D%22en-US%22%3EOffice%20365%20Audit%20for%20Created%20Group%20triggers%20for%20non-group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334601%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20trying%20to%20get%20our%20Office%20365%20Groups%20to%20stop%20multiplying%20like%20rabbits%2C%20I%20set%20up%20an%20audit%20alert%20for%20%22Created%20Group%22%20under%20Site%20Permissions.%20It%20is%20to%20mainly%20trap%20when%20someone%20creates%20a%20Planner%20in%20the%20Planner%20URL%20vs%20inside%20of%20Teams.%20The%20former%20creates%20an%20entirely%20new%20group.%20The%20latter%20just%20creates%20another%20Planner%20in%20the%20Group%20for%20the%20team.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20this%20morning%20I%20got%20an%20alert%20that%20someone%20created%20a%20group%20that%20has%20existed%20for%202%2B%20years.%20So%20then%20I%20looked%20at%20the%20audit%20log%20for%20%22Created%20Group%22%20going%20back%202%20weeks%2C%20and%20there%20are%20a%20few%20dozen%20entries%2C%20and%20not%20a%20one%20is%20a%20new%20group.%20One%20is%20even%20mine%20and%20looking%20at%20the%20group%20that%20was%20%22created'%20it%20is%20my%20OneDrive%20for%20Business%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2FTENANTNAME-my.sharepoint.com%2Fpersonal%2Fed_hansberry_COMPANY_com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FTENANTNAME-my.sharepoint.com%2Fpersonal%2Fed_hansberry_COMPANY_com%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EObviously%20I%20didn't%20create%20a%20group%20here.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo...%3C%2FSPAN%3E%3C%2FP%3E%3COL%3E%3CLI%3E%3CSPAN%3Ewhat%20is%20this%20audit%20type%20actually%26nbsp%3B%3C%2FSPAN%3Eauditing%20and%3C%2FLI%3E%3CLI%3EHow%20can%20I%20find%20out%20when%20a%20Office%20365%20Group%20is%20actually%20created%3F%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-334601%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EChange%20Alerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-334690%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Audit%20for%20Created%20Group%20triggers%20for%20non-group%20creation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-334690%22%20slang%3D%22en-US%22%3E1.%20Created%20group%20%3D%20Site%20administrator%20or%20owner%20creates%20a%20group%20for%20a%20site%2C%20or%20performs%20a%20task%20that%20results%20in%20a%20group%20being%20created.%20For%20example%2C%20the%20first%20time%20a%20user%20creates%20a%20link%20to%20share%20a%20file%2C%20a%20system%20group%20is%20added%20to%20the%20user's%20OneDrive%20for%20Business%20site.%20This%20event%20can%20also%20be%20a%20result%20of%20a%20user%20creating%20a%20link%20with%20edit%20permissions%20to%20a%20shared%20file.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20You%20should%20look%20for%20%22Added%20group%22%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%23audited-activities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsearch-the-audit-log-in-security-and-compliance%23audited-activities%3C%2FA%3E%3C%2FLINGO-BODY%3E
Regular Contributor

In trying to get our Office 365 Groups to stop multiplying like rabbits, I set up an audit alert for "Created Group" under Site Permissions. It is to mainly trap when someone creates a Planner in the Planner URL vs inside of Teams. The former creates an entirely new group. The latter just creates another Planner in the Group for the team.

 

But this morning I got an alert that someone created a group that has existed for 2+ years. So then I looked at the audit log for "Created Group" going back 2 weeks, and there are a few dozen entries, and not a one is a new group. One is even mine and looking at the group that was "created' it is my OneDrive for Business account.

 

https://TENANTNAME-my.sharepoint.com/personal/ed_hansberry_COMPANY_com

 

Obviously I didn't create a group here. 

 

So...

  1. what is this audit type actually auditing and
  2. How can I find out when a Office 365 Group is actually created?
1 Reply
1. Created group = Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.

2. You should look for "Added group"

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...